Yes on both counts. Stay inside the stated port range (49162:65535), but choose a smaller section of a few dozen ports or so (I don't know how many ftp sessions you plan to serve simultaneously). You can probably narrow things down a little further by only allowing incoming connections to ports 'owned' by the ftp user.
Something like:
Code:
pass in quick on $ext_if inet proto tcp all user ftp_user keep state
might work. Then you'd do this without opening holes in pf.conf. Replace 'ftp_user' with the user proftpd actually runs as.
P.S. I'm doing this from memory, so experiment a little, and consult 'man 5 pf.conf' for exact syntax.
P.P.S: Oh, and this is assuming proftpd runs
on the same system as pf.conf!